Skip to content
Snippets Groups Projects
Commit 0bc86477 authored by Tim van Dijen's avatar Tim van Dijen
Browse files

Address comments

parent df9bbf54
No related branches found
No related tags found
No related merge requests found
...@@ -16,7 +16,7 @@ See the upgrade notes for specific information about upgrading. ...@@ -16,7 +16,7 @@ See the upgrade notes for specific information about upgrading.
to comply with SAML2INT to comply with SAML2INT
* core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting. * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting.
Use 'scopeAttribute' instead to identify the attribute holding the scope. Use 'scopeAttribute' instead to identify the attribute holding the scope.
* Unsolicited responses can denied by disabling it by setting `disable_unsolicited` to `true` in the SP authsource. * Unsolicited responses can denied by disabling it by setting `enable_unsolicited` to `true` in the SP authsource.
## Version 1.19.1 ## Version 1.19.1
......
...@@ -219,8 +219,8 @@ Options ...@@ -219,8 +219,8 @@ Options
in the IdP-remote metadata overrides this the option in the SP in the IdP-remote metadata overrides this the option in the SP
configuration. configuration.
`disable_unsolicited` `enable_unsolicited`
: Whether this SP will refuse to process unsolicited responses. The default value is `false`. : Whether this SP is willing to process unsolicited responses. The default value is `true`.
`discoURL` `discoURL`
: Set which IdP discovery service this SP should use. : Set which IdP discovery service this SP should use.
......
...@@ -1139,10 +1139,6 @@ class SP extends \SimpleSAML\Auth\Source ...@@ -1139,10 +1139,6 @@ class SP extends \SimpleSAML\Auth\Source
if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) { if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) {
$spMetadata = $source->getMetadata(); $spMetadata = $source->getMetadata();
$disableUnsolicited = $spMetadata->getBoolean('disable_unsolicited', false);
if ($disableUnsolicited === true) {
throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
}
if (!empty($state['saml:sp:RelayState'])) { if (!empty($state['saml:sp:RelayState'])) {
$redirectTo = $state['saml:sp:RelayState']; $redirectTo = $state['saml:sp:RelayState'];
......
...@@ -101,8 +101,8 @@ if (!empty($stateId)) { ...@@ -101,8 +101,8 @@ if (!empty($stateId)) {
} }
} }
$disableUnsolicited = $spMetadata->getBoolean('disable_unsolicited', false); $enableUnsolicited = $spMetadata->getBoolean('enable_unsolicited', true);
if ($state === null && $disableUnsolicited === true) { if ($state === null && $enableUnsolicited === false) {
throw new Error\BadRequest('Unsolicited responses are denied by configuration.'); throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
} }
...@@ -158,13 +158,13 @@ $expire = null; ...@@ -158,13 +158,13 @@ $expire = null;
$attributes = []; $attributes = [];
$foundAuthnStatement = false; $foundAuthnStatement = false;
// check for duplicate assertion (replay attack)
$config = Configuration::getInstance(); $config = Configuration::getInstance();
$storeType = $config->getString('store.type', 'phpsession'); $storeType = $config->getString('store.type', 'phpsession');
$store = StoreFactory::getInstance($storeType); $store = StoreFactory::getInstance($storeType);
foreach ($assertions as $assertion) { foreach ($assertions as $assertion) {
// check for duplicate assertion (replay attack)
if ($store !== false) { if ($store !== false) {
$aID = $assertion->getId(); $aID = $assertion->getId();
if ($store->get('saml.AssertionReceived', $aID) !== null) { if ($store->get('saml.AssertionReceived', $aID) !== null) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment